In a case testing regulators authority to police companies cybersecurity practices, a U.S. appeals court said Wyndham Worldwide Corp. must defend a suit in which its accused of failing to secure its computers from Russian hackers.
Advertisement
The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.
The FTC alleged that the failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russian Federation .
A Wyndham spokesman said the company was reviewing the decision.
Representatives of Wyndham and the FTC didn’t immediately respond to requests for comment on the appeals court ruling. “We believe the facts will show the FTC’s allegations are unfounded”, reads a statement from Wyndham spokesperson Michael Valentino.
When corporation databases are breached by hackers who steal consumers’ private information, the company response often amounts to little more than “Sorry about that”.
Even if Wyndham does eventually lose its case against the FTC, it likely won’t be fined, says Berkeley Law professor Chris Hofnagle. After a string of three data breaches, the FTC argued that Wyndham’s security practices had put customers at risk.
The FTC contends it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches. Wyndham argued that that the company was also a victim of the hackings and was being penalized unfairly, Bloomberg said. Now it’s Washington’s most powerful technology cop.].
Wyndham’s argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability”, Judge Thomas Ambro wrote in the court’s 47-page opinion.
Advertisement
Since 2002, the Federal Trade Commission has been pursuing businesses for sub-substandard cyber-security practices under Section 5 of the FTC Act, which empowers the FTC to crackdown on unfair business practices. As data breaches increasingly become a source of real suffering for consumers-see the reports of suicides that have already resulted from Ashley Madison’s scandalous data spill-the agency’s mandate more important than ever.
